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ZOHAR  MANNA  and  AMIR  PNUELI 
Applied  Mathematics  Department 
The  Weizmann  Institute  of  Science 
Rehovot,  Israel. 

I .  Introduction 

We  present  here  an  axiomatic  approach  which  enables 
one  to  prove  by  formal  methods  that  Ks  program  is  "totally 
correct"  (i.e.,  it  terminates  and  is  logically  correct  -- 
does  what  it  is  supposed  to  do).  The  approach  is  similar 
to  Hoare 's  approach  [1969]  for  proving  that  a  program  is 
"partially  correct"  (i.e.,  that  whenever  it  terminates  it 
produces  correct  results).  Our  extension  to  Hoare 's  method 
lies  in  the  possibility  of  proving  correctness  and  termina¬ 
tion  at  once,  and  in  the  enlarged  scope  of  properties  that 
can  be  proved  by  it.  • 

The  class  of  programs  we  treat  in  this  paper  is  the 
class  of  while  programs  which  are  written  in  an  Algol-like 
language  allowing  assignment  statements,  conditional  state¬ 
ments,  compound  statements  and  while  statements.  Go  to 
statements  and  procedure  calls  are  explicitly  excluded,  but 
this  restriction  does  not  seem  essential  and  can  be  removed 
by  appropriate  extension  of  the  results  presented  here. 
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To  review  Hoare's  notation,  he  uses  assertions  oi 
the  form 

(p(x)  |  »»  |  q(x)) 

(where  p  ,  q  are  predicates,  and  B  is  a  program  segment) 
to  mean  that  for  every  x  ,  if  p(x)  holds  prior  to  execu¬ 
tion  of  B  and  the  execution  of  B  terminates,  then  the 
resulting  values  after  execution  will  satisfy  q(x)  .  His 
system  consists  of  several  basic  assertions  --  axioms,--  de¬ 
scribing  the  transformation  on  program  variables  effected 
by  simple  statements,  and  inference  rules  by  which  asser¬ 
tions  for  small  segments  can  be  combined  into  one  assertion 
for  a  larger  segment.  Among  those  are  a  composition  rule, 
a  conditional  rule,  and  a  while  rule.  If  starting  from 
the  axioms  about  the  simple  statements  of  a  program  P  ,  and 
employing  inference  rules  one  is  able  to  deduce 

U(x)  |  P  |  , 

then  one  has  shown  in  fact  the  partial  correctness  of  P 
with  respect  to  4>  and  *  ,  i.e.,  that  for  every  x  satis¬ 
fying  4> C x)  for  which  the  execution  of  P  terminates, 

,j,(x)  holds  for  the  resulting  variables'  values. 

The  assertion  we  will  be  using  in  our  method  is  of  the 


form 
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<  P(x)  |  B  |  q(x,x')  > 

to  mean  that  for  every  x  ,  if  p(x)  holds  prior  to  execu 
t i°n  of  B  »  then  the  execution  of  B  terminates  and,  de * 
noting  the  set  of  resulting  values  by  x'  ,  q(x,x'}  holds. 
An  immediate  advantage  of  this  notation  is  the  ability  to 
express  relations  between  values  of  variables  uefore  and 
after  the  execution.  In  the  rest  of  the  paper  we  develop 
the  inference  rules  for  our  system  which  will  also  ensure 
that  termination  is  hereditary  from  constituents  to  larger 
program  segments . 

Since  we  restrict  ourselves  to  while  programs,  the 
only  element  endangering  termination  is  the  while  statement. 
We  attack  the  termination  problem  of  the  while  statement  by 
requiring  the  existence  of  a  function  from  the  program 
variables' domain  to  a  well-founded  set,  such  that  on  sub¬ 
sequent  executions  of  the  while  body  its  value  decreases. 
This  function  serves  as  a  counter  that  can  decrease  only  a 

finite  number  of  times.  It  is  this  need  to  compare  values 

« 

of  the  counter  function  before  and  after  execution  of  the 
while  body  which  motivated  us  to  extend  the  notation  to 
relations  between  two  sets  of  program  variables. 

If  using  our  inference  rules  one  is  able  to  deduce 
<  $(x)  |  P  |  Hx,x')  > 

then  one  lias  shown  in  fact  that  P  is  totally  correct 


X 


with  respect  to  4*  and  <P  ,  i.e.,  that  for  every 
satisfying  4>(x)  ,  the  execution  of  P  terminates  and 
4»(x,x')  holds  between  the  initial  values  x  and  the 
resulting  values  x'  .  If  one  is  only  interested  in 
proving  termination  over  ♦  it  is  sufficient  to  show 

<  *(x)  I  P  I  T  >  , 

where  T  is  the  identically  true  predicate. 

We  should  remark  in  passing  that  although  our  rules 
are  sufficient  to  show  total  correctness,  they  are  by  no 
means  unique  or  even  the  best  possible.  Many  variations 
and  improvements  probably  exist. 

1  [  •  The  Inference  Rules 

All  the  inference  rules  will  be  described  by  a  set 
of  antecedents  (conditions  under  which  the  rule  is  ap¬ 
plicable)  followed  by  a  consequent  which  is  the  assertion 
deduced.  Each  of  che  antecedents  is  either  an  assertion 
(which  should  have  been  previously  established)  or  a  logi¬ 
cal  claim.  All  the  logical  claims  are  considered  to  be 
closed  by  universally  quantifying  each  of  their  free 
variables  on  the  same  line. 

We  present  first  the  s traightforwaru  rules  dealing 
with  assignment,  conditionals  and  compositions  and  leave 
the  while  rule,  which  is  the  most  complicated,  to  the  end. 


(a)  Assignment  Rule 


p(x)  a  x'*f(x)  a  q(x,x') 

<  P(x)  |  x  «■  £(x)  |  q(x,x')  > 

This  rule  is  essentially  an  axiom  since  it  uses  only  logi¬ 
cal  claims  to  create  an  assertion.  Since  f  is  con¬ 
sidered  a  basic  function  (not  a  user-defined  procedure), 
termination  is  as  obvious  as  correctness. 

(b)  Conditional  Rules 

(b  j )  If-then -else 

<  P(x)  a  t(x)  |  Bt  |  q(5T,x')  > 

<  P(x)  a  ~t(x)  |  B2  |  q(x,x')  > 

<  P(x)  |  if  t(x)  then  else  B2  |  q(x,x')  >  . 

The  rule  should  read  as  follows:  If  under  p(50  we  suc¬ 
ceeded  in  showing  separately  that  whether  we  proceed  with 
t(x)  true  to  execute  Bt  or  with  t(x)  false  to  execute 
Ba  *  q(x,x')  holds  in  both  cases,  then  clearly  if  we 
cross  the  combined  conditional  statement  with  p(x)  ini¬ 
tially  true,  we  come  out  with  q(x,x')  . 


Since  the  antecedents  claim  that  both  Bj  and  B^ 
when  executed  under  the  proper  conditions  terminate,  the 
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termination  of  the  conditional  statement  under  p(x)  fol¬ 
lows  . 

(b 2 )  If  -  do 

<  p(x)  a  t(x)  I  B  I  q(x.x')  > 
p(x)  a  ~t(x)  3  q(x,x) 

<  p(x)  I  if^  t(x)  d£  B  I  q(x,x')  >  . 

This  is  the  one  clause  (empty  else)  conditional  statement. 

Note  that  if  we  do  not  execute  B  we  have  to  verify  that 
q(x,x)  holds. 

The  following  four  rules  are  composition  rules.  Some 
of  them  facilitate  composition  of  segments  while  the  others  allow 
composition  of  predicates. 

(c)  Concatenation  Rule 


<  P,(x)  |  B, 

|  q^x.x’)  > 

(1) 

<  P2(x)  |  B2 

1  q2(x,x')  > 

(2) 

q, (x,x')  3 

P2(x') 

(3) 

qjCx.x')  a 

q? (x'  ,x")  3  q(x,xM) 

(4) 

<  p, (x)  |  Bj ;B2  !  q (x ,x ' )  >  . 
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I 


I 
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Condition  (3)  ensures  that  the  state  after  execution 
of  Bt  satisfies  p2  --  the  needed  precondition  for  B2  . 

Condition  (4)  characterizes  q(x,x")  as  a  transfer 
relation  between  x  before  execution  and  x"  after  exe¬ 
cution  of  Bj;B2  .  It  requires  an  intermediate  x'  which 
temporarily  appears  after  execution  of  B  and  before 

i 

execution  of  Bz  . 

Note  that  by  our  convention  (4)  is  universally 
quanitified  over  x  ?  x'  and  x"  . 

(d)  Consequence  Rules 

(dl)  <  r(x)  |  B  |  q(x,x')  > 

P(X)=>  *(x) 

<  P(x)  |  o  j  P  (x ,  x  ' )  > 

(d2)  <  p(x)  |  B  j  s(x,x')  > 
s(x.x')  3  q(x,x') 

<  p C3T)  |  B  |  q(x,x')  > 


The  validity  of  the  rules  is  obvious  when  we  consider 
the  meaning  of  the  assertion. 


(e)  Or  D,.:le 


<  Pj (x)  |  B  |  q(x.x')  > 

<  P2(x)  |  B  j  q (x , x  ' )  > 


c  Pl  (5c)  v  p2  (5T)  |  B  |  q(x,x')  > 


This  rule  creates  the  possibility  for  proof  by 


case 


analysis 


(i)  And  Rule 


<  PM  I  B  I  q,  (x,x')  > 

<  P(x)  |  B  j  q  (x,x')  > 


<  P(x)  I  B  |  q (  (x , x ' )  a  q  (x,x')  > 


This  rule  enables  one  to  generate  incremental  proofs, 
by  proving  separately  two  independent  properties,  and  then 
combining  them  by  the  and  rule. 


Note  that  it  is  sufficient  to  piove  termination  for  only  one 
of  the  antecedents'  conditions  of  the  an d  rule,  so  that  in  prin* 


ciple  we  could  have  a  stronger  rule: 


<  P(x)  |  B  j  qjx.x')  > 


{  P(x)  |  B  j  q2(x')> 


<  p(x)  |  B  I  q  j  ( x  ,  x  '  )  A  q  ,(x')  > 


where  we  reserve  the  notation  {}  to  'partial  *  correctness 


assertion' 


\ 


L 


I 


I 


i 


9. 


( g)  While  Rule 

<  pfx)  a  t(x)  |  B  |  q(x,x')  a  (-t(x')  v  u(x)  u(x')]  >  (1) 

q(x,x')  a  t(x')  =p(x')  (2) 

q(x,x')  a  q(x',x")  =>  q(x,x")  (3) 

p(x)  a  ~t(x)  =  q(x,x)  4) 

<  p(x)  |  while  t(x)  do  B  |  q(x,x')A  -t(x')  > 

where  (w,4)  is  a  well-founded  set  and  u:X  -*■  W  . 

The  above  seemingly  complicated  rule  is  devised  to 
overcome  several  difficulties  caused  by  the  need  to  prove 
termination.  Termination  of  a  looping  while  statement  is 
essentially  ensured  here  by  Floyd's  technique  [1967],  namely, 
producing  a  function  u  whose  values  keep  strictly  decreasing 
in  subsequent  executions  of  B. 

Condition  (1)  requires  establishing  a  well-founded  set 
(W , -<)  with  a  partial  order  4  satisfying  the  descending 
chain  condition,  i.e.,  there  is  no  infinite  chain  of  elements 
from  W,  at  y  a 2^...  •  Also  required  is  a  partial  function 

u  mapping  some  elements  of  our  data  domain  X  into  elements 
of  W  .  I f  we  were  able  to  prove  that  after  each  execution 
of  B  ,  u(x)  V  u(x')  (where  by  writing  this  inequality  we 
also  mean  that  u(x)  and  u(x')  are  both  defined),  then 
clearly  B  cannot  repeatedly  execute  an  infinite  number  of 
times  or  we  would  violate  the  descending  chain  condition. 

The  demand  for  the  existence  of  a  descending  counter 
which  is  defined  for  all  executions  of  the  while  body  B  , 
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can  he  relaxed  for  the  case  of  the  last  execution  of  R  . 

Thus  if  we  are  positive  that  this  is  the  last  execution  of 
B  ,  we  may  allow  the  counter  function  to  become  undefined 
or  stop  decreasing.  Accordingly,  we  require  in  (1)  the  al¬ 
ternatives  of  either  ~t(x)  true  ,  implying  immediate  ter¬ 
mination,  or  the  existence  of  the  counter  function  which  will 
also  ultimately  ensure  termination. 

Condition  (2)  requires  that  having  executed  B  at 
least  once,  and  having  t(x')  correct  at  this  instance  , 
logically  establishes  p(x’)  .  p(x)  is  exactly  the  condition 
we  need  to  use  (1)  once  more  and  thus  propagate  the  validity 
of  q  for  all  subsequent  executions. 

Condition  (3)  ensures  that  q(x,x’)  is  transitive. 
Therefore,  once  we  showed  in  (1)  that  it  holds  over  one  exe¬ 
cution  of  B  ,  it  follows  that  it  will  hold  over  any  number  of 
repeated  executions  of  B  .  Consequently,  it  will  hold  over 
the  repeating  while  statement. 

Condition  (4)  deals  with  the  case  of  the  initially 
vacant  while  statement,  where  B  did  not  execute  even  once. 
There  also  we  wish  to  establish  the  final  outcome  q(x,x')  . 

Note  that  (1)  establishes  the  termination  of  B  itself. 

In  the  proofs  appearing  in  the  following  examples  we 
often  make  vise  of  the  consequence  rule  within  while  rule  deri¬ 
vation  v  i  t  bout  explicit  i  ml '  <  at  i  on  .  Thus,  for  example,  we 
f ’  quently  use  the  condition: 
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<  p(x)  A  t(x)  |  B  I  q(x.x')  A  [u(x)  Vu(x')]  > 
which  implies  condition  (1)  above  by  t’:e  consequence  rule. 
Similarly  we  use  the  consequent: 

<  p(x)  |  while  t(x)  do  i  |  q(x,x')  > 
omitting  *-he  conjunct  ~t(x')  . 


| 


j  III.  Illustration  of  the  Method 

We  present  below  two  examples  for  which  we  can  prove 
total  correctness  by  our  method.  Because  of  the  amount  of 

•  detail  involved  we  will  concentrate  on  proving  termination, 

with  only  general  indication  of  the  modifications  required 
to  add  correctness. 

> 

Example  1 

The  following  while  program  over  the  integers  is 

•  supposed  to  compute  the  greatest  common  divisor  of  two 

positive  integers  x,  and  x,  - -gcd(x  ,x  )  --  leaving 
the  result  in  x,  .  To  refer  to  pregram  segments  we 

•  use  ordinary  Algol  labels. 


P :  START 


x»  * 

x2  d£ 

begin 

b- 

while 

x,  >  x„  do 

1  2  - 

d: 

vhile 

x2  >  xj  do 

end 

HALT  . 

We  would  like  to  prove  that  the  propram  P  is  totally 
correct  with  respect  to 


(j)(x,  ,x2)  =  Xj  >  0  a  x2  >  0 


and 


I 


1 


» 


I 


» 


t 


» 
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*(x,.x2,x;,xj)  =  x;  -  &cd(x1(x2)  . 

We  prove  in  detail  termination  only.  The  well-founded 

set  we  use  is  the  domain  of  non-negative  integers  with 

the  ordinary  <  relation.  As  the  termination  function 

for  all  while  statements  we  take  u(x,,x„)  =  x  +  x 

1  9  2  '  1  2 

Our  proof  of  termination  distinguishes  between  two 
cases  according  to  whether  x,  >  x}  or  <  x2  upon 
entrance  to  the  compound  statement  e  .  In  the  first 
case,  statement  a  is  executed  at  least  once  (x,  ♦  x2 
decreasing),  while  statement  c  is  executed  0  or  more 
times  (Xj  +  x2  remaining  the  same  or  decreasing).  In 
the  second  case  statement  a  is  never  executed  (Xj  ♦  x2 
unchanged  of  course),  while  statement  c  is  executed  at 
least  once  (x,  +  x2  decreasing).  We  will  therefore 
analyze  in  our  proof  these  two  cases  separately  and  then 
combine  their  results  using  the  Or  rule. 

In  all  the  predicates  of  the  Allowing  assertions  the 

conjunction  x  >  0  a  x  >0  is  omitted. 

1  2 

Lemma  a]  (Assignment  Rule) 

Since  x  >x„  a  x!  =  x  -x  a  x’  =  x  ^  x  +x  >x'+x' 

1  2  J  i  2  2  7  1  2  :  2 

we  get 

<  X,  ,  X;  I  a  I  x,.x2>  x;*x;  >• 


% 


by  the  assignment  rule. 
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Lemma  bl  (While  Rule) 

Wc*  use  the  while  rule  with  the  following  predicates: 
p(x)  2  t(x)  :  Xj  >  x?  , 
q(x,x')  =  x^x2  >  x j +  x j  . 

Condition  (1)  of  the  while  rule  is  justified  by  Lemma  al . 

We  obtain 

<  x,  >  x2  |  b  |  x,*x2  >  x;+x’  >  . 

Note  that  condition  (4)  of  the  while  rule  is  trivially  satis 
fied  because 

p(x)  a  't(x)  =  F  . 

Lemma  cl  (Assignment  Rule) 

Since 

X2>Xi  A  x;«Xx  A  X'=X2-Xl  3  xi+x2>x;+x;  , 

we  get  by  the  assignment  rule 


X  >  X 
2  \ 


|  C  I  X,  +  X2  >  Xj  +  x;  >  . 


Lemma  dl  (While  Rule) 

Assume  tiie  following  substitution: 

P(x)  2  T  ,  t(x)  2  x2  >  Xj  ,  and 
q(x,x')  ^  x(  +  x2  *  x J  +  x 2  . 

Condition  (1)  of  the  while  rule  is  justified  by  Lemma  cl 


We  ob  t  a  i  n 


<  T  |  d  |  x,  ♦  x2  >,  x;  ♦  x; 


Note  that  condition  (4)  is  satisfied  since  xx  ♦  x2  >,  xx  + 
Lemma  el  (Concatenation  Rule) 

Combine  Lemmas  bl  and  dl  and  use 

Xj  +  x^xJ+xJ  a  xJ  +  xJix’j’+xy  3  x1+x2>x'1'+x2' 


» 
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t  o  obt  a  i  n 

<  xi  >  x?  I  1‘  I  x,  ♦  x2  >  xj  ♦  x'  >  . 

We  now  treat  the  case  of  x(  <  x?  upon  entrance  to  e 
Lemma  a2  (Assignment  Rule) 


S  ince 


we  have 


F  A  xi  =  V\  A  =  F 


<  F  I  a  I  F  > 


Lemma  b2  (While  Rule) 

Take 

t(x)  H  x(  >  x2  ,  p(x)  =  Xj  <  x2  ,  and 
q(x,x')  =  xj  <  x'  a  (x,  ♦  x2  =  x;  ♦  x')  . 

By  using  a  consequence  of  Lemma  a2  we  obtain 

<  X,  <  X2  I  b  I  x|  <  xj  A  (X,  ♦  X2  =  x;  ♦  x 2 )  >  . 
Condition  (1)  is  satisfied  here  since  by  the  consequence 
rules  <  F  j  a  |  F  >  implies 

<  P(x)  a  t(x)  |  a  |  q(x.x’)  a  -t(x')  >  . 

Note  that  under  the  initial  condition  x  <  x  the  while 

J  2 

statement  b  never  executes. 

Lemma  c2  (Assignment  Rule) 

By  assignment  rule 


<  x,  <  x. 


I  c  |  x ,  ♦  x,  >  x'  ♦  x'  > 


Lemma  d2  (While  Rule) 


p(x)  i  t(x)  x,  <  x2  ,  and 
q(x.x’)  '  x,  ♦  x2  >  xj  ♦  xj 


Take 
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IK  in  I,  Lemma  c2  we  obtain 

l.rmwa  e2  (Concatenation  Rule) 

By  combining  Lemmas  b2  and  d2  we  obtain 

<  xi  K  I  G  I  xj  ♦  x2  >  xj  ♦  x-  >  . 
l.t  m ma  e  |0r  Rule) 

l-rom  Lemmas  al  and  e2  combined  we  get 

<  xi  *  x2  I  e  I  xi  +  X2  >  xi  +  *2  >  - 

l.o  iii  mu  _f  (While  Rule) 

Take 

*(*)  *,  f  x2  »  P(x)  =  xi  >  0  a  x2  >  0  ,  and 

q(x.x')  .  xt  >  0  a  x2  >  0  . 

Nou-  that  x,  >  0  a  x2  >  0  was  implicitly  assumed  in  all 
previous  preconditions.  Using  Lemma  e  in  condition  (1) 

w.  get  : 


<  X,  >  b  A  x2  >  0  I  P  I  xj  *  X*  >  . 
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We  have  thus  shown  termination  with  the  additional 

information  that  on  exit  x'  =  x'  . 

1  2 


On  trying  to  extend  this  result  to  prove  correctness 
as  well  as  termination,  we  run  into  the  notion  of 
incremental  proofs,  i.e.,  having  proved  some  properties  of 
the  program  including  termination,  how  do  we  prove  addi¬ 
tional  properties  without  repeating  the  whole  proof  process. 

For  this  particular  example,  this  can  be  solved  by  the 
following  argument: 

Assume  that  instead  of  any  q(x,x')  appearing  in  the 
assertions  we  used  the  predicate 


q(x,x')  a  (g£d(x  j  ,x2 )  =  gcd(x|,x^)]  . 


It  is  not  difficult  to  ascertain  that  all  the  1 


emmas 


remain  valid.  Consequently,  we  are  able  to  prove  for  the 
complete  program: 


<  x,  >  0  A  x2  >  0  I  p  I  xj  =  x;  A  gcdCx^x^  =  gcd(x;  ,X^)>, 
i.e., 


<  x,  >  0  a  x?  *•  0  |  I’  j  xj  =  ged  ( x ,  ,x,)  >  . 
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Generalizing  the  above  argument,  we  may  consider  any 
transitive  relation  s(x,x')  with  the  following  properties 


Vx(s(x,x)]  and  Vx.x^x"  [s(x.x')  a  s(x',x")  s  s(x,x")]  . 


It  is  possible  then  to  verify  the  following  metatheorem: 


Metatheorem.  Suppose  that  a  h  <  4>(x)  J  P  |  i|/(x,x')  > 

had  been  proved.  Let  s(x,x')  be  a  transitive  relation 

such  that  for  any  lemma  of  the  form  <  p(x)  |  B  |  q(5c,x')  > 

used  in  proving  a  ,  where  B  is  an  assignment  statement 

of  P  ,  it  is  possible  to  prove  <  p(x)|  B  |  q(x,x')  a  s(x,x')>  . 

Then  the  assertion  a+  =  <  <J>(x)  |  P  |  ij>(x,x')  a  s(x,x')  > 

is  also  true  for  the  complete  program. 

Thus  it  is  sufficient  to  treat  assignment  statements  in 

incrementing  our  claims.  In  the  previous  example,  the  only 
Assignment  statements  one  has  to  consider  are 


x2  -  Xj,  and 


xi  *  x.  '  x2  > 


which  obviously  preserve  the  gcd  function. 

In  order  to  prove  the  met atheorem,  one  has  to  inspect 
all  the  non-assignment  rules  and  verify  that  if  s  was 
preserved  in  the  constituents  it  will  be  preserved  in  the 
bjgget  segment. 
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Example  2:  Partition  (Hoare  [1961]) 

The  purpose  of  the  program  given  below  is  to  rearrange 
the  elements  of  an  array  A  of  n  +  1,  n  >  2  ,  real  numbers 

A  [0]  »  •  .  •  , A  [n ]  and  to  find  two  integers  i  and  j,  such 
that 

0  $  j  <  i  $  n 

and  for  the  rearranged  array 


VaVb[(0  <  a  <  i  a  j  <  b  $  n)  3  A[a]  $  A[b]j 

In  other  words,  we  would  like  to  rearrange  the  elements  of  A 
into  two  non-empty  partitions  such  that  those  in  the  lower 
partition  A [0] , . . . ,A [i -1 ]  are  less  than  or  equal  to  those 
in  the  upper  partition  A[ j+1 ] , . . . ,A[n]  ,  where  0  <  j  <  i  *  n 


P: 


s : 


m: 


START; 


r  «-  A[n  *2J 

(i » j) 

♦  (0,n); 

while  i  $  i 

do 

begin 

e : 

begin 

b:  while 

d:  while 

end  ; 

k : 

if  i 

$  j  do  h 

fend 

A [ i ]  <  r  do  a: 

i  <-  i  +  1  ; 

r  <  A[j]  c: 

j  ♦  j  -  1 

begin  f;  A[i] 

~  A  [  j  J  ; 

g;  (i >  j  j 

1  <-  (i  +  l » j  *1) 

end 

HALT. 


ii  l«l  «!jl.i||«N  I}  jp 
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We  will  prove  in  detail  termination  only.  Our  proof 
follows  the  ideas  presented  in  Hoare's  [1971]  informal  proof 
of  termination.  We  introduce  the  following  abbreviations: 

a(i)  e  3p[i  s  p  {  n  a  r  $  A[p]] 

6  ( j )  =  3q[0  S  q  C  j  a  Afq]  $  r]  . 

These  invariants  are  used  to  ensure  that  while  i  is  stepped 
up  and  j  is  stepped  down  they  do  not  exceed  the  bounds  of 
n  and  0  respectively, 

Lemma  a  (Assignment  Rule) 

<  a(i)  a  6 ( j )  a  A [i ]  <  r 
|  a:  i  <-  i  ♦  1  | 

a(i  ' )  a  B(j')  a  [  i '  >  j*  v  j-i  >  j'-i']  a  n-i  >  n-i'  > 

Clearly  6 ( j )  validity  is  invariant  since  j  is  not 
modified  by  this  statement.  From  a(i)  correctness  we  infer 
the  existence  of  p  which  since  n[p]  >  r  must  be  p  >  i  ,  so 
that  we  might  take  the  same  p  to  establish  a(i+l)  =  a(i')  . 
The  statement  about  n  -  i  decreasing  will  be  used  for  termina 
tion  of  the  while  statement  b  ,  while  the  function  j  *  i  will 
be  used  for  proving  termination  of  m  .  Both  are  over  the 
domain  of  non  negative  integers.  The  alternatives  presented 
if  t  Ii  a  f  rithi‘1  tin  1  uik  '  j  on  dii.  reading  (non  -  increns  ing) 
or  j  *  <  i  *  which  will  imply  that  this  must,  he  the  last 
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execution  of  l  .  Note  that  if  the  second  holds  true,  then 
j'  -  i’  is  not  defined. 

Lemma  b  (While  Rule) 

Using  Lemma  a  with 
P(x>  =  a(i)  a  8  (j ) 

q(x,x')  E  a(i')  a  B(j’)  a  [ i •  >  j '  v  j  -  i  *  j ’  -  i *  ] 
u(x)  =  n  -  i  , 

we  get 

<  a(i)  a  8 ( j ) 

|  b:  while  A[i]  <  r  d£  a:  i  i  +  1  | 

B(j')  a  [i *  >  j’  v  j  -  i  *  j1  -  i * ]  a  A’fi'l  *  r  >  . 

Note  that  we  do  not  need  a(i')  any  more,  but  will  use  instead 
the  conclusion  of  the  while's  termination  A '  [  i  *  ]  >*  r  which 
also  implies  i'  S  n. 

Lemma  c  (Assignment  Rule) 

<  A[i]  *  r  a  8 ( j )  a  A[  j  ]  >  r 
|  c:  j  «-  j  -  1  | 

B(j')  a  A [ i * ]  *  r  a  [i *  >  j'  v  j  -  i  *  j’  -  i * ]  a  j  >  j'>. 
The  function  ensuring  termination  for  the  inner  while  d  is  j  . 

Lemma  d  (While  Rule) 

From  Lemma  c  with 

p(x)  =  A [ i J  *  r  a  8 ( j ) 

q(x,x')  E  B(j')  a  A  * [ i * ]  *  r  a  [i '  >  j '  v  j  -  i  *  j '  -  i '] 
u(x)  e  j  , 

we  get 

<  A  [  i )  :>  r  a  Bfj) 

j  d :  wh  i  le  r  <  A  [  j  1  doc:  j  <-  j  -i  | 


A ' [ i  '  ]  >  r  a  [,  • 


j'  v  j 


i  >.  i  ' 


i  '  1  a  A '  (  j  '  ]  < 


r  >  . 
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Lemma  e  (Concatenation  Rule) 

Combining  Lemmas  b  and  d  we  get 

<  a (d  a  o(j) 

|  e :  begin  b ;  d  end  | 

*  A’[j’J  $  r  <  A'[i']  a  [i*  >  j*  v  j  -  i  *  j*  -  i  j  > 

Lemma  f  (Assignment  Rule) 

<A[j]  £  r  £  A  [i  ]  Ai  «:  j 
I  f:  A  [i  ]  *--►  A  [  j  ]  | 

A’fi']  £  r  £  A'[j']  a  j  -  i  =  j'  -  i'  a  i'  *  j'  >  . 

I  The  condition  i  £  j  is  added  since  it  is  known  to  be  true  if 

we  enter  statement  h  .  Clearly,  after  exchanging  A [ i )  and 
A[j]  the  previous  inequalities  are  reversed. 

|  Lemma  g  (Assignment  Rule) 

<  i  <  j  a  A l i ]  *  r  <  A[j] 

I  g:  (i.j)  «-  (i  +  l,j-l)  | 

t  i*  >  j*  v  (j  -  i  >  j*  -  i*  a  a(i')  a  B  ( j  ' )  ]  >  . 

This  result  is  obtained  by  case  analysis:  Either 

which  case  we  have  i  <  i'  <  j'  <  j  and 
t  we  can  take  p  =  j  to  establish  a(i')  and  q  =  i  to 

establish  B(j')  .  The  other  case  is  i  +  1  >  j  -  1  or,  in 
other  words ,  i '  >  j '  . 

» 


» 


J 
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Lemma  h  (  Li-u  eaten  at  ion  Rule) 

By  combining  Lemmas  f  and  g  we  get 

<  i  J'  j  A  A[ j ]  $  r  £  A [ i ] 

|  h:  begin  f;  g  eitd  | 

i’  >  j'  v  [j  -  i  >  j*  -  i*  A  a(i’)  a  0  (j  * )  ]  >  . 

Lemma  k  (If  -  do  Rule) 

By  Lemma  h  we  get 

<  A[j]  <  r  <:  A  [  i  ] 

I  k:  i^f  i  <  j  d£  h  | 

V  >  y  v  tj  -  i  >  j'  -  i'  a  a  ( i ' )  a  B  ( j  ’ ) )  >  . 

Note  that  in  the  case  where  the  do  clause  is  skipped 
i  >  j  »  so  that  the  conclusion  is  still  correct. 


Lemma  l  (Concatenation  Rule) 

Combining  Lemmas  e  and  k  we  obtain: 

<  a(i)  a  B  (j ) 

|  l :  begin  e ;  k  end  | 

i'  >  j '  v  [j  -  i  >  j '  -  i»  A  a(i  ')  a  e  ( j *)]  >  . 
Note  that  by  the  consequence  rule  this  can  be  rewritten  as 

<  a(i)  a  B(j) 

I  ^ '  begin  e ;  k  end  j 

l(i'*  j')  ^  a(i ' )  a  B(j'))  a  (i'  >  j*  v  j  -  i  >  j’ 
which  is  in  a  form  more  useful  for  the  next  step. 


-  i  • 


i  '  J  > 


Now  we  are  ready  to  prove  termination  of  the  encompassing 
while  statement.  We  have  shown,  in  fact,  that  after  one  execution 
of  l  starting  with  a(i),  B(j)  both  valid,  we  either  have 
i'  >  j'  which  ensures  no  more  repetitions  of  V  or  have 
a(i'),  B(j')  true  again  and  a  termination  function  j  -  i 


> 


» 


I 


t 


o 


V, 


0 


strictly  decreasing. 

Lemma  m  (While  Rule) 

From  lemma  e  with 

p(x)  =  a(i)  a  8 ( j ) 

q(x,5T')  =  i*  *  j'  3  [a(i')  a  B ( j  ')]  , 

we  get 

<  a(i)  a  8(j)  |  m:  while  i  $  j  do  4  |  T  > 

Lemma  s  (Assignment  +  Concatenation  Rules) 
Establishes  the  initial  conditions: 

<  n  *  2  |  s:  r  «-A[n*2];  (i,j)  <-  (0,n)  |  a( 

Lemma  ?  (Concatenation  Rule) 

Concatenation  of  lemmas  m  and  s  yields 

<  n  >  2  |  P  |  T  >  , 
which  shows  termination  of  P  . 
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